Apache · Apache Hadoop · CVE-2021-25642
**Name of the Vulnerable Software and Affected Versions**
Apache Hadoop versions prior to 2.10.2
Apache Hadoop versions prior to 3.2.4
Apache Hadoop versions prior to 3.3.4
**Description**
The ZKConfigurationStore, optionally used by CapacityScheduler of Apache Hadoop YARN, deserializes data from ZooKeeper without validation, allowing an attacker with access to ZooKeeper to run arbitrary commands as the YARN user.
**Recommendations**
For versions prior to 2.10.2, upgrade to Apache Hadoop 2.10.2 or later.
For versions prior to 3.2.4, upgrade to Apache Hadoop 3.2.4 or later.
For versions prior to 3.3.4, upgrade to Apache Hadoop 3.3.4 or later.